The program is an independent dispute resolution mechanism operated by the Council of Better Business Bureaus (CBBB), a non-profit organization based in the United States. We help EU and Swiss individuals resolve privacy complaints under the EU-US Privacy Shield and Swiss-US Privacy Shield Frameworks.

BBB EU Privacy Shield is a successor program to BBB EU Safe Harbor, one of two original independent dispute resolution mechanisms supporting the US-EU Safe Harbor Framework when it came into effect in 2000.

What are EU-US and Swiss-US Privacy Shield Frameworks?

The U.S. Department of Commerce and the European Commission developed the "-EU-US Privacy Shield-" Framework, enabling U.S. businesses to receive and process personal data from the EU and EAA countries and helping them comply with EU data protection requirements. The EU-US Privacy Shield Framework replaced the US-EU Safe Harbor Framework on July 12, 2016.

On January 12, 2017, the Swiss Government approved the Swiss-US Privacy Shield Framework (replacing the US-Swiss Safe Harbor Framework) as a valid legal mechanism for U.S. companies to comply with Swiss data protection requirements when transferring personal data from Switzerland to the United States.

What are my rights under Privacy Shield?

If your personal data is collected in the EU or Switzerland and is transferred to the United States for processing pursuant to the Privacy Shield Frameworks, the participating U.S. business must provide you with certain information and options regarding your data. These rights are listed on the U.S. Commerce Department website at https://www.privacyshield.gov/article?id=My-Rights-under-Privacy-Shield.

What is BBB’s role?

Many companies participating in the Privacy Shield Frameworks have chosen BBB EU Privacy Shield to help them resolve privacy disputes that may arise with EU or Swiss individuals including any individual, whereever located, whose data is collected in the EU or Switzerland and transferred to the United States pursuant to Privacy Shield. We refer to these companies as “participating businesses.”

The Privacy Shield Frameworks require that independent dispute resolution mechanisms be impartial, readily available and offered at no cost to EU and Swiss individuals, and that they ensure compliance with the Privacy Shield privacy protections. BBB's obligations as an independent recourse mechanism are listed here.

Is readily accessible to individual complainants through a secure, online complaint intake form accessed directly via a hyperlink in the privacy policy of each Participating Business

Is also visible and accessible on the BBB national website, as part of the main BBB online complaints system

Has always been offered free of charge to individuals

Provides a speedy and fair resolution option through the staff conciliation process

When conciliation fails, provides impartial and enforceable resolution by means of an independent Panelist’s Data Privacy Review and determination of the issues in the dispute

All participating businesses in BBB EU Privacy Shield sign an agreement requiring them to participate in the dispute resolution process, and to abide by final determinations by CBBB or the Panelist, including any sanctions or corrective action.

Participating businesses also agree that if they fail to take corrective action required by a final determination, the matter may be referred to the Federal Trade Commission, and the fact of the referral may be made public by CBBB. Such a referral will also be notified to the Department of Commerce, which may remove the company from the Privacy Shield List for noncompliance.

CBBB publishes an annual BBB EU Privacy Shield Procedure Report that summarizes the number and nature of privacy complaints and inquiries from the public and the actions taken by the CBBB and Panelist; as well as the number and nature of complaints deemed ineligible for processing. If a participating business fails to comply with a final determination of the program and is referred to the Federal Trade Commission for noncompliance, a Case Report will be published in the Procedure Report summarizing case and its outcome, identifying the company and the fact of noncompliance.

How will BBB help resolve my privacy complaint?

File a privacy complaint against a Participating Business using the BBB EU Privacy Shield online complaint form. You can report a company’s violation of a posted Privacy Shield privacy policy or raise a privacy concern about the company's compliance with the Privacy Shield Principles.

The BBB EU Privacy Shield complaints process works as follows:

1. When you submit a complaint, CBBB staff will first verify that the complaint is eligible for resolution under our Procedure Rules, and that they have enough information to move forward. To be eligible, you must be the subject of Personal Data collected in the European Union, Iceland, Liechtenstein, Norway or where applicable, Switzerland, and the complaint must be against a Participating Business. They may ask you for additional information before proceeding.

2. Staff will verify with you that you have made a good faith effort to resolve the complaint with the participating business. Note that the business is required to respond to your complaint within 45 days.

3. Staff will pass on your complaint to the participating business, and will try to help you and the business resolve the complaint through an exchange of information. This process is called conciliation. Staff will try to help you reach a resolution, or settlement, of your complaint within 15 business days. If the complaint is resolved through this process, staff will send you and the business a settlement letter and will close out the case.

4. If conciliation does not resolve the dispute, you will be able to seek a Data Privacy Review, a form of arbitration conducted by an independent decision maker (a Panelist), selected in an impartial manner to avoid conflicts of interest, from CBBB’s Data Privacy Board of privacy experts. CBBB Staff will administer this process, obtaining written statements of your respective positions from you and the participating business. Staff will assemble these documents into the Case Record, which they will present to the Panelist for review.

5. The Panelist may find either no violation of the Privacy Shield Principles and close out the case, or may find that a violation of the Principles occurred. In the latter case, he or she may require corrective action, including (1) access to, correction or suppression of data; or (2) processing of data consistent with the Privacy Shield Principles

5. The Panelist will be asked to make best efforts to issue a Decision within 10 business days of receiving the Case Record. During this time he or she may request additional information from you or the business, and may ask you and the business to take part in a telephone hearing if he or she thinks it necessary to resolve the matter. In that case, CBBB staff will arrange the telephone hearing and will observe the hearing in the public interest.

6. If you should require translation or interpretation services at any time during the complaints procedure they will be provided for you at no cost.

7. All other costs of administering the complaint procedure will be the responsibility of either CBBB or the participating business. The complaint handling service is provided free of charge to individual complainants.

It is the objective of the BBB EU Privacy Shield Procedure to resolve complaints in a transparent, fair and timely manner. Our goal is to resolve conciliated complaints within 15 days, and if a Data Privacy Review is initiated, to conclude that process in no longer than 60 days.